Medical Devices Can Be Hacked Using Black Box Approach

Researchers in the UK/Belgium have discovered it is possible to hack certain medical devices even when no prior understanding of how the devices work is known. Cyberattacks could be conducted to gain access to sensitive patient data or to cause patients to be harmed. The research team discovered that malicious messages could be sent to the devices and signals sent to prematurely drain batteries.

The study was conducted by researchers at the University of Birmingham in the UK and the University of Leuven / University Hospital Gasthuisberg Leuven in Belgium.

The researchers discovered at least 10 different commonly used medical devices were vulnerable to these attacks, including pacemakers and the latest generation of implantable cardioverter defibrillators (ICDs). The researchers were able to extract medical records from the devices – including patients’ names – and claim these attacks could be pulled off by a relatively weak adversary.

By repeatedly sending signals to the devices they were able to prematurely drain batteries by preventing the devices going into sleep mode. It was also possible to increase the time that the devices could receive messages, allowing further malicious attacks to be conducted.

The researchers used inexpensive commercial off-the-shelf equipment to intercept and reverse-engineer communications between the devices and their device programmers and base stations. The equipment used to conduct the dummy attacks needed to be in relatively close proximity to the devices – up to 5 meters (around 16 feet) although the researchers said it would be possible to increase that distance by tens or hundreds of times if sophisticated antennas were used.

It was possible to intercept and manipulate signals with no prior understanding of the devices, even though the device manufacturers had taken some steps to obfuscate the data transmitted to and from the devices.

Fortunately, in order for the attacks to be conducted, an attacker would need to hold a magnetic programming head close to the device after it had been implanted in order for the device to be capable of receiving radio signals. Once activated it would be possible to send messages to the device for a period of up to two hours.

According to the researchers, “Our work revealed serious protocol and implementation weaknesses on widely used ICDs, which lead to several active and passive software radio-based attacks that we were able to perform in our laboratory” The researchers also explained that “security-by-obscurity is a dangerous design approach that often conceals negligent designs. Therefore, it is important for the medical industry to migrate from weak proprietary solutions to well-scrutinised security solutions and use them according to the guidelines.”

The findings of the research study will be presented at the Annual Computer Security Applications (ACSAC) conference in Los Angeles this week. The research paper can be viewed on this link.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.